[TriLUG] Privileges and Social Engineering
Jeff Tickle
jtickle at jtsoft.net
Tue Jun 15 22:26:19 EDT 2004
> Sorry for the delay in replying, but I've been away from the keyboard. I was thinking of password guessing, yes. As a little more explanation of my thinking, I had in mind an ordinary person, inexperienced with Linux, the sort of person who selects their birthday / spouse's name, or the like for their login password. The original post, IIRC, spoke of such an inexperienced user.
Good call. I didn't even think of that... you're right, the average
user wouldn't even bother trying to change "ilovejennie" to
"!10v3J3|\||\|!3".
Oh well. So for average-user systems, disabling root login altogether
is a good deal... and then you have to su. Still not exactly secure but
at least it's not just sticking a sign out front begging for a hacking.
> Disabling root login makes password guessing more difficult, since if root login is disabled, then the bad guy needs to not only guess a password, but guess the password of a user in the group permitted to su.
>
> About secure passwords, I've seen warnings when a dictionary entry is selected as a password (Mandrake again?), but the warning doesn't prevent the user selecting the dictionary entry as a password.
--
Jeff Tickle <jtickle at jtsoft.net>
JTSoft.net
More information about the TriLUG
mailing list